Remediation Templates
Create and manage access remediation instructions for custom applications.
Custom templates for Access Remediation are provided as an Early Access feature. Please contact your Veza customer success team for more details, and to enable this option.
Overview
Custom instructions contain one or more possible solutions and steps to remove access for Apps and Identity Providers added using Open Authorization API connectors. A template will be applied (provided as possible remediation steps) when all conditions are true:
Access removal is requested for a node of
source_node_type
The destination node type for the changed access is
destination_node_type
property_matchers
all match:matched_node_type
determines whether to match a named property of thesource
ordestination
node (0
or1
)matched_property_name
is the name of the property to matchmatched_property_value
is the exact value to match.
Depending the order templates are created, more than one template might match a pair of (source, destination) nodes. In such a scenario, only the first matching template (in the order returned from "List" API) will apply.
Methods
Operation | Method | Syntax |
---|---|---|
Create Recipe Instruction Template | POST |
|
List Recipe Instruction Templates | GET |
|
Delete Recipe Instruction Template | DELETE |
|
Instruction template properties
Key | Type | Description |
---|---|---|
| string | Instruction template ID |
array | Instructions for access remediation | |
| string | Template applies when result source is an entity of this type (such as "CustomUser" or "CustomGroup") |
| string | Template applies when destination is an entity of this type (such as "CustomApplication" or "CustomRole") |
array | Defines the matching source or destination node properties the template applies for |
Example:
Template steps
Remediation Proposals enable users to request changes to authorization when reviewing certifications. Since the exact steps to alter permissions, such as removing users or changing groups, can vary from application to application, you can use template steps to add customized directions for:
Access removal for pairs of entity types (source, destination)
Instructions based on properties on the source or destination node (such as a unique
"provider_name"
.)
Instructions are specified in template_steps
. They will be shown when remediation is requested for users with authorization paths containing a matching source and destination entity type.
You can provide more than one set of steps in the template_steps
. Responders can pick any of the steps to complete the task:
Templates only apply when a property on either the source or destination node matches a specific value. This enables separate instruction sets for apps of similar entity types.
If there are multiple possible solutions, specify them as a comma-separated list (
["Option A", "Option B"]
). Multi-step instructions should be specific["1: ... 2: ... 3: ... "]
.Templates can use placeholders to reference any value on a source or destination node, such as user
provider_name
.
Placeholders
Two placeholders can be used in template_steps
strings, and will be replaced using graph metadata when the remediation request is created:
When viewing instructions, placeholders in the format of
{{<node>.<property_name>}}
are replaced with a source or destination node property value.<node>
must be "source" or "destination"<property_name>
can be any property of the node. Non-string values are formatted withfmt.Sprinf("%v", value)
for safety.
When the recipe is created, the instruction steps will be saved and won’t change, even if the graph properties change later. Placeholders can reference any source or destination node property, regardless of the
property_matchers
applied.
Property Matchers
Instructions will only apply when either the source or destination node has a matching property, such as provider_name
. This is used to differentiate between multiple custom app integrations (multiple custom Identity Providers or OAA connectors).
key | type | description |
---|---|---|
| int | Whether to match a property of the source |
| string | Property to match (for example |
| string | Exact value to match (for example |
Note that only string values are supported.
Examples
End-to-end example
After setting custom instructions:
When creating remediation requests for certification results that meet the conditions: "source_node_type":"CustomUser"
AND "destination_node_type":"CustomGroup"
, AND the source node has property "provider_name":"SOME_PROVIDER"
,
The instruction steps will be:
Where “custom_provider:application:some_provider:user:username”
and “custom_provider:application:some_provider:group:groupname”
are ids of the user and group for access removal.
Multiple possible solutions)
Instructions choice #1
Instructions choice #2:
Multi-step instructions
Last updated